Parsing Unsanitized JSON from Ruby

Submitted by mmorsi on Sat, 2013-09-28 11:24

Parsing Unsanitized JSON from Ruby

Recently CVE-2013-0269 was filed against the json gem and a subsequent patch pushed resolving the issue. The root culprit was caused by the json's gems automatic mapping of string class names encoded in json data to Ruby classes. The Ruby class name lookup mechanisms (used here) automatically converts strings into symbols which are not garbage collected by Ruby. This means if a machine uses json to parse unsanitized JSON code, it may be subject to a DOS attack.

RJR currently supports this automatic conversion of classes so the situation is problematic. Technically RJR doesn't need to support this, but it's a nice feature to have. After a bit of investigation I filed an issue with a few workarounds, along with a pull request. These are detailed below:

I'm hoping the pull request to json will be accepted so that I can just rely on a custom matcher plugin in rjr. In the meantime I've just pushed a patch to rjr that implements a hybrid solution. It supports the registration of json creatable classes but will also rely on the class namespace to try to resolve references as a fallback. Since this is all used and encapsulated in rjr itself, the JSON module does not have to be monkey patched.